THREAT INTELLIGENCE CENTER: TARGETED ATTACKS

Will Your Passwords Pass the Test?

WRITTEN BY

Oscar Celestino Angelo Abendan ll

What do the sites LinkedIn, eHarmony, last.fm, League of Legends, and Yahoo! have in common? All of these websites suffered from major data leaks that exposed millions of user names and passwords online. These incidents tell us that most Internet users are still using unsecure passwords or have too many have short passwords like 1234. Users also go for passwords that are easy to guess. The Yahoo! hacking incident showed that the 450,000 exposed user names and passwords mainly consisted of consecutive numbers like 12345 and the word password.

Unfortunately, we won’t be seeing the last of these data-stealing attacks. As long as cybercriminals can profit from stolen data, they will continuously attempt to hack users’ accounts. If and when this happens, are confident about your password’s strength? Does your password stand a chance against potential attackers?

Why should I protect my passwords?

The idea of passwords is as old as history itself. Remember the famous line in the story Ali Baba and the Forty Thieves “Open, sesame!”? If you’re familiar with the story, you know why the thieves had to use a password –to protect something precious.

That’s how our modern day passwords function. They serve as keys to our online life. Passwords protect our identities and sensitive information like online banking credentials and credit card information. These data are our equivalent of the Forty Thieves’ treasure. And similar to real life, there are also modern-day thieves or cybercriminals who want to get hold of your precious information. Once they steal your data, anyone can become victims to cybercriminals’ schemes such as identity theft and in some cases, actual money loss.

Consider these facts about passwords when you pick the wrong ones:

Important data are being stolen every 3 seconds.

8.1 million U.S. adults were victims of identity fraud

Credit card fraud costs card holders and credit card issuers as much as US $500 M a year

How are passwords stolen?

Brute-force attacks. Cybercriminals systematically combine letters, numbers, and characters in an attempt to uncover your password. Attackers typically start with picking out every word in the dictionary. They may also add previously cracked words to the roster of possible combinations. In effect, every successful breach adds to their database of possible password combinations.

Social engineering attacks. Cybercriminals use popular news items, brand name, celebrities, and world events to trick users into providing their passwords. They may also use bogus contests, promos, and prizes as bait. Some of the noteworthy threats we’ve seen include a spammed message that leverages the upcoming London 2012 Olympics, a fake eBay page for an iPhone 4S, and a malicious site that supposedly offers a download page for the highly anticipated video game Diablo 3.

Phishing emails/pages. Users receive email that spoofs a bank, credit card company, or other well-known organizations. These messages instruct user to click a link to update their supposed accounts. Once clicked, they are led to a phishing site that tries to copy the legitimate websites. Unwitting users may be tricked into providing their account information to these sites.

Data breaches. Cybercriminals or certain groups may hack into a corporate network to steal crucial information like customer data, trade secrets, and the like. Notable organizations like Sony, SK Communications, and Yahoo! were affected by data breaches in the past.

Should I include words in my passwords?

It’s best to avoid common words found in the dictionary, familiar names, or popular brand names. Cybercriminals can easily figure out passwords made of commonly used words via mainstream brute- force attacks. The trick is to use words, phrases or sentences that are difficult to crack. The more gibberish your password contains, the better. If you’re thinking of using “IloveTwilightverymuch” as a password, you might as well hand over your password to the hackers.

How do I create a secure password?

There are different ways to create a secure password. One way is to create a sentence that will stick to you. Make it as memorable to you as possible. You can be as creative as you want, though the sentence needs to stand out in your memory.

For example: “Queen and The Beatles are my favorite bands of all time according to a random survey.”

Using sentences as they are is not 100% safe. The next step is to take the initial letter of each word. You now have “QATBAMFBOATATARS”. This is going to be your basis for your password. Consider it like a mold of clay, which you can use to shape into anything you want.

Next you have to mix it up with upper and lowercase characters, numbers, and special characters. Some sites may limit the special characters, so you have to adjust your password accordingly. But as long as websites allow special characters, use them. It’s also wise to make the numbers nonconsecutive e.g. 1234 or 98765.

Taking these into consideration, we can turn QATBAMFBOATATARS into Q@TB@mfB0@T@Tr$.

You now have a secure password.

Is it okay if I create a short password?

No. The previous rule is to create passwords with at least 8 characters, though experts are advocating a minimum of 14. You can make it as long as you want. However, some sites have a certain limit to the number of characters. As long as you follow the maximum limit of characters of the site, that won’t be a problem. However, a password’s strength is not determined solely by its length.

Should I use one password for all my online accounts?

No. Doing so render all of your efforts to create a secure password useless. Once a cybercriminal hacks into one of your accounts, he/she can use that to hack your other accounts. If you used a different password, then it won’t be a problem.

Should I include my name or any personal information about me in the password?

No. Avoid including sensitive information such as your social security number and complete name in your password. However, you may use information such as your dog’s name, location of a memorable trip, or any random but noncrucial fact about yourself. Just make sure that you are the only one who knows this information.

Should I regularly change my passwords?

Yes. Make it a habit to regularly change your passwords to keep the hackers guessing.

It can be difficult to remember all my passwords. Is it okay if I write them down?

No. Listing down your passwords on a notebook or a piece of paper can easily get lost or stolen, which puts you and your online accounts at immediate risk. Not to mention the hassle of retrieving and resetting your passwords.

The best alternative is to use password management software such as Trend Micro Direct Pass, which stores your passwords in a secure location and are encrypted. It also synchronizes your devices in the cloud, which helps you conduct secure transactions wherever you may be.

What will happen once hackers get hold of my password?

There are a number of things that hackers can do with your passwords. Here are a few:

Include your email addresses in their spamming list. Cybercriminals can now flood your inboxes with spam, which puts you at risk of becoming victim to more menacing threats

Conduct unauthorized transactions. Using your passwords, they can now transfer money and purchase items without your consent.

Use your identity. Cybercriminals can use your identity as a way to cover their tracks from law enforcement.

Peddle your identity to the underground market. Cybercriminals can sell your information to other groups of cybercriminals, who will use your data in their other schemes. For example, based on an underground research, your PayPal login credential may amount to US$1 to US $5 in the underground market. Just imagine if the bad guys harvest more than hundreds of these in a day!

To summarize what we’ve learned, here’s a checklist of what you need to consider in creating passwords.